Yahoo has finally admitted this...but the admission was only the tip of the iceberg.
So here's what happened. Our group e-mail, which has never noticeably been hacked, has had the same password for years. I went in and changed it. Our inactive e-friend Ronia Regal has also been known to receive e-mail forwarded from Salolianigodagewi, occasionally even from this computer, so I know her password, so I got in and changed that to the same temporary password to which I temporarily changed Saloli's. While I was there, I noticed that the account displayed a phone number. That's very, very bad, especially since the number looks like one the local phone company assigns to cell phones that use prepaid minutes. So I tried deleting the phone number, and the system hiccupped and, apparently, changed the password to something other than either the original password or the temporary one I'd set up.
Yahoo supposedly offers an automatic fix. Just click on a button, enter a different e-mail address (Saloli's), and receive a "recovery key," or one-time temporary password. I did that twice. Yahoo did not, however, actually accept the temporary password. Instead it tried to run everything through the phone number Yahoo should never, never, never have been allowed to have.
Attention, Yahoo. Attention, Verizon. People use the Internet because, and as long as, it costs them nothing. Try linking it to phones that cost money, and we'll have to give up using the Internet. You need to redesign the system. E-mail sites should not allow anything that looks like a phone number to be displayed on any part of the system other than the text of an actual message that can be permanently deleted with one click.
Forget about using phones to "verify" anything online. The best way to avoid being robbed of someone else's property, such as the number for a cell phone that uses prepaid minutes, is not to have it. You need to work at excluding phone numbers from web sites, even though people do think "Well, the phone number I used twenty years ago would be easy to remember" when setting up passwords.
Nine digits? Could be a Social Security number. Ten digits? Could be a phone number. Neither of those things belongs in "the cloud." E-mail passwords should allow either eight or fewer, or eleven or more, numeric characters to appear in a row.